Project: Application and database security

Goal: Improve security for the application and database layers of Air Forcesystems.

Obstacles: Many of the new systems are Web-based, exposing them tomore security vulnerabilities and hacker attacks.

Solution: A suite of tools to create multilayer protection.

Payoff: A model for application and data security has been established forthe Air Force and other agencies.

Transitioning from proprietarysystems to commercialproducts and Web applicationshas been a boon for the AirForce.

The Air Force can implementsoftware more quickly,widely and cheaply than withthe systems it used in the past.The new model also comeswith new security issues. Likeother government agenciesand private organizations, theAir Force is under constantthreat from hackers looking tosteal sensitive information. It'sa worldwide problem that'smushroomed during the pasttwo years.

More than 165 millionrecords containing personalinformation have beenbreached since 2005, accordingto the Privacy RightsClearinghouse, a nonprofitconsumer information andadvocacy organization.Vulnerable databases andWeb applications are amongthe leading contributors to theproblem.

To fight back, Air Force officialshave established an applicationsand software assurancecenter that provides a comprehensiveway to test and protectthe service's applications anddatabases, said Greg Garcia,director of the 754thElectronic Systems Group atMaxwell Air Force Base-Gunter Annex, Ala. The centereventually will be available tothe entire Air Force and couldbe a model for other defenseand civilian agencies.

"The Air Force has reallytransitioned from a developerof software to an implementerof software," Garcia said. "We'veshifted from the governmentowned,government-developedmodel to the commercial, off-the-shelf model."

With that, the Air Force hasmoved from a client/serverworld to net-centric operations,which forces more applications to be Web-enabled.Although that move and theadoption of a plug-and-playservice-oriented architectureenable faster adoption of software,the Air Force faces achallenge in securing newsystems.

"The way I like to phrase it isthat we need to secure thework of the net, in addition tothe network," Garcia said.

For many years, the focushas been on securing the network,but little energy and fewresources were spent on theapplications that reside on thenetwork. Web-centric systemsbring a different set of vulnerabilitiesto the forefront. Issuessuch as cross-scripting orauthentication can lead tobreaches in a system.

The project started out byconducting code analysis ofsource code, compiled codeand the run environments.That took about 18 months andrevealed that the vulnerabilitiesin the world are evolvingquickly. Air Force officials realizeda concentrated effort wasneeded to address such potentialvulnerabilities as theydevelop.

Four components make upthe Center of Excellence:

A source code analysis suite.

A Web penetration tool toidentify vulnerabilities.

Database protection.

The ability to protect Webapplications until developerscan fix source code.

Applications built for medicalfacilities, for example, willbenefit from the suite of toolsbecause Social Security numbersand critical informationare often a major part of thoseapplications.

Application Security'sDbProtect suite will be themain tool used to protect dataon Air Force systems. It combinesdiscovery, vulnerabilityscanning, real-time activitymonitoring, auditing andencryption. It also helpsensure that regulatory compliancerequirements are met.

The suite is designed as alayer of a multifaceted defensesystem, said Ted Julian, vicepresident of marketing andstrategy for ApplicationSecurity.

"What's unique about thisAir Force project is the relativecomprehensiveness of theirapproach to try and solve thisdata security epidemic," hesaid.

"There is no silver bullet,because if there was one, wewouldn't be in the securitypredicament we're in now."

Automated approach

Database security is aresponse to hackers changingtheir attacks to focus on stealingdata they can sell.Security installed where thedata lives ensures it's secureno matter how the hackersmight access it. It alsosecures against rogue insiderswho don't need to breakthrough the firewall to accessdata.

DbProtect addresses commonsecurity holes, such aschanging all the default IDsand passwords in a database.That sounds simple, and insome ways, it is. "The problemis that, for a modern database,there are between two andthree dozen default servicesthat get installed with adefault installation," Juliansaid.

Agencies can have hundredsand even thousands of databases."Multiply a thousand bytwo dozen accounts, that's alot of checks that you need torun and if you don't have anautomated way to do that,you'll probably never get itdone."

Staff writer Doug Beizer can bereached at dbeizer@1105govinfo.com.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.

Do you have a password?

Trending

In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet.
Read More